In a potentially groundbreaking dispute, Delta Air Lines is threatening to sue CrowdStrike, a leading cybersecurity firm, for alleged negligence and breach of contract. This case brings to the forefront critical questions about the duties vendors owe to their customers in an increasingly digital world.
As cybersecurity threats evolve, the expectations placed on vendors to safeguard sensitive data and maintain robust security measures are higher than ever, but these vendors cannot be responsible for every aspect of their customers’ environments. How can cybersecurity vendors and their customers balance these responsibilities effectively and minimize risk?
The dispute
At the end of July, Delta’s CEO indicated that the CrowdStrike-Microsoft event cost the airline $500M because the IT outage stranded thousands of customers and caused them to cancel more than 6,000 flights. This cost includes not only lost revenue but also “the tens of millions of dollars per day in compensation and hotels” for delays stretching over a period of six days.
Delta states that they have no choice but to seek damages from CrowdStrike for the disruptions due to the high costs incurred by the outage. Delta expected all technology deployed in their ecosystem to be thoroughly tested before release into their mission critical environment. Unfortunately, CrowdStrike’s testing did not identify the issue.
Do the legal arguments hold?
Media reports thus far indicate that Delta believes CrowdStrike was negligent, which they argue is shown by the seemingly weak initial CrowdStrike apology. Delta had to manually reset 40,000 servers to resolve the issue and took longer to bounce back to normal operations than its competitors, sparking an investigation by the US Department of Transportation’s Office of Aviation Consumer Protection. That investigation may result in additional costs for Delta on top of the reputational hits the airline has already endured.
CrowdStrike, on the other hand, argues that Delta’s claims are meritless and emphasizes their own efforts to appropriately assist vendors with recovery from the outage, satisfying the cybersecurity company’s duty of care to its customers and vendors in the event of a systems failure. If CrowdStrike is found to be negligent in its performance of the Delta contract, a court could declare that the damage caps in its contract moot, thus entitling Delta and other similarly impacted CrowdStrike customers to a much larger financial recovery.
It remains to be seen whether Delta will file a lawsuit, but such a case may be difficult to win, particularly if CrowdStrike can show that it reasonably fulfilled its contractual obligations. In some respects, the negligence argument is analogous to claiming that a sprinkler system provider should ensure a building can never have a fire, highlighting the unrealistic expectations sometimes placed on cybersecurity vendors.
This event highlights the challenging dynamic for Delta and any other CrowdStrike customer seeking damages, even though the incident made it impossible for them to operate their business effectively. Incidents like these are a harsh reminder that accidents, just like cyberattacks, can have serious impacts, and customers may still be on the hook for losses.
Responsibility includes accountability and trust
Regardless of the allegations from Delta, CrowdStrike appears to be holding up to its responsibility as a cybersecurity vendor. For example, this past week the company released a root cause analysis of the incident detailing the lessons learned, including how they are improving their process and identifying steps to enhance resilience.
Without question, a lot of things went wrong on July 19. This public volleying between CrowdStrike and Delta highlights the challenges for cybersecurity vendors and their customers in environments that operate in digital environments, reliant on multiple integrations and interdependencies. To effectively protect both cybersecurity vendors and their customers, both parties must hold themselves accountable and act as trustworthy partners in protecting against cyber and business continuity risks.
4 ways to manage these risks
Given the ever-present cyber risks and potential for downtime events that pose a serious threat to business continuity, it makes sense for companies to identify alternative ways to manage these risks.
1. Understand how incidents like these can impact business and operations. It is now critical to fully understand how an outage could impact the business and enable internal teams to focus on impact mitigation strategies in addition to typical incident response.
2. Know the status quo when negotiating contracts with vendors to the greatest extent possible. At the beginning of a vendor relationship, consider the impact if that vendor fails to the extent that the customer can’t deliver on its own business obligations. If Delta could have foreseen this event and its impact, they could have negotiated higher limitations of liability in the contract (although unlikely to come anywhere close to the $500M mark).
3. Consider insurability. Based on various insurance industry estimates, it appears that insurance recovery for this event will only be a fraction of the total estimated losses. Additionally, many cyber insurance policies are designed to primarily cover malicious events, which this event was not. That said, coverage is available for losses of this type and companies should be reviewing their policies right now and seeking to amend coverage as desired.
4. Evaluate whether it makes sense to have redundant or alternative capabilities in place in case of a vendor failure. It may turn out that entirely redundant capabilities are cost prohibitive or impractical, but by not at least considering the question and understanding the tradeoffs, the business is not fulfilling its own duty of care.
A new shared responsibility model
Minimizing risk requires vendors and their customers to work together. No cybersecurity vendor has control over the environments in which their solutions are deployed, but they can and must do their best to minimize the risk that their solutions, intended to protect their customers, do not cause massive IT outages.
Customers, on the other hand, must maintain a modern IT infrastructure, stay up to date on available software patches, and be prepared for diverse risk scenarios. There is not a shared responsibility model defined for these types of relationships yet, but this may be the defining event that prompts one to emerge.
